There has been some progress in automotive cybersecurity over the past few years, with several manufacturers launching bug bounty programs and showing their willingness to collaborate with security researchers. However, it will take some time until those efforts start having a significant impact on the quality of car-related software.
To some extent, this is understandable, because car companies are relatively new to software development. Large software vendors like Microsoft, Adobe, and Oracle are still finding and fixing dozens of security flaws in their products every month, so it's not surprising that car software or accompanying mobile apps also have vulnerabilities.
There is some urgency, though, because compared to computers, cars are a bigger threat to human safety. And unfortunately, the flaws being discovered in car software are often basic security oversights that could have easily been avoided by following well-known secure development principles.
In another recent incident, researchers from Israeli firm Argus Cyber Security were able to turn off the engine of a moving car when in Bluetooth range due to a vulnerability in a car monitoring device from Bosch called the Drivelog Connector. This dongle connects to a car's on-board diagnostics (OBD-II) port and monitors its "health" to alert drivers when the car needs servicing. It comes with an accompanying mobile app.
The Argus researchers found an issue in the Bluetooth-based authentication system between the app and the dongle that allowed them to guess the authorization PIN by using brute-force methods after attempting to connect to the dongle once. With the PIN, the researchers found a way to remotely send malicious commands through the dongle to the controller area network (CAN Bus) that's used by the car's electronic control units (ECUs) to communicate.
The CAN Bus doesn't have any encryption or authentication because ECUs need to communicate with each other and react to sensor readings as fast as possible in order to perform critical functions. Because of that, gaining unrestricted access to the CAN Bus is the holy grail for any car hacker.
Unfortunately, previous car hacks have shown that car manufacturers don't properly isolate the CAN Bus from peripheral and remotely accessible systems. In 2015, researchers Charlie Miller and Chris Valasek found a way to hack into the infotainment system of the Jeep Cherokee and other Fiat Chrysler vehicles over a mobile data connection and then jump to the CAN Bus to take over the brake, steering, and other critical systems.
Making cars "smarter" by adding internet connectivity and remotely accessible features can certainly enhance a car owner's experience, but it also increases the cars' attack surface. It's possible that many of these functions will be properly secured in time if car makers continue to take cybersecurity seriously, but for now, it seems more likely that if a car has remote control features, there's an exploitable bug somewhere in the implementation.
Sign up for CIO Asia eNewsletters.